[Skiboot] [PATCH 0/3] Use real Container Verification Code in Mambo

Stewart Smith stewart at linux.ibm.com
Mon Jul 29 11:44:27 AEST 2019

Secure Boot (for firmware) on POWER9 uses an in-memory copy of the
Container Verification Code (CVC), which the source comes from hostboot,
and the data structure is set up as part of early boot in the SBE and

Prior to this patchset, the way we simulated secure boot was to have a
"fake" securerom that was really just calling mbedtls sha512 and
comparing the hashes. This worked Well Enough(TM) for P8 and P9 testing,
but didn't reflect the guts of what would happen on real hardware.

This patchset grabs a dump of the CVC code from a real machine set up
for development keys, and we can thus make the *exact* same calls into
it as what occurs on real hardware.

The CVC code is imported as a blob rather the source from
hostboot/src/securerom and the various bits of setup mostly for
maintaining one's sanity.

This also will help in the testing of the mmu patchset as for some
reason when we enter the CVC code we clear r2, which adds a bit of fun
and adventure to the whole endeavour.

Stewart Smith (3):
  libstb: export CVC/securerom code memory range
  Add CVC code dump for use with Mambo
  mambo: enable use of real Container Verification Code

 external/mambo/CVC                           | Bin 0 -> 65535 bytes
 external/mambo/README.md                     |  11 +++
 external/mambo/skiboot.tcl                   |  70 +++++++++++++++++--
 libstb/cvc.c                                 |  21 +++++-
 test/hello_world/run_mambo_p9_hello_world.sh |   1 +
 test/sreset_world/run_mambo_p9_sreset.sh     |   1 +
 6 files changed, 97 insertions(+), 7 deletions(-)
 create mode 100644 external/mambo/CVC


More information about the Skiboot mailing list